Seems that the 'holy rollers' at Steelsoldiers.com got hacked in a BIG way.
I got some really weird emails (spam) from them, and now the board is down.
hahahahahaha they pissed off the wrong person... the mods treat you like shit there.
PS No, it wasn't me.
Steelsoldiers.com HACKED!!!
4 posts
• Page 1 of 1
Steelsoldiers.com HACKED!!!
by pfarber » Mon Mar 26, 2012 12:04 pm
I got a Mountain Cur and a ~~pitbull~~ big loveable cuddle puppy
RIP Kimber 5/26/2022
RIP Yeager 1/3/2019
RIP TJ 3/25/2014
RIP Sugar Bear 8/29/2014
RIP Shilo 4/10/2015
RIP Yuki 2/19/2017
RIP Kimber 5/26/2022
RIP Yeager 1/3/2019
RIP TJ 3/25/2014
RIP Sugar Bear 8/29/2014
RIP Shilo 4/10/2015
RIP Yuki 2/19/2017
-
pfarber - Motor Sergeant
- Posts: 2839
- Joined: Wed Oct 10, 2007 2:45 am
- Location: The Internet
Re: Steelsoldiers.com HACKED!!!
by pfarber » Mon Mar 26, 2012 12:29 pm
Here is the email header that proves Steelsoldiers.com is lying about why they are down. These are the mail headers from the spam they are sending from being hacked.
Received: from [12.222.202.34] (helo=www.steelsoldiers.com)
by box386.bluehost.com with esmtp (Exim 4.76)
(envelope-from <steelsol@www.steelsoldiers.com>)
id 1SCD4s-00063C-Rh
for paulfarber@42gpw.com; Mon, 26 Mar 2012 10:47:30 -0600
Received: by http://www.steelsoldiers.com (Postfix, from userid 500)
id 5EEC7D31B2B; Mon, 26 Mar 2012 12:47:21 -0400 (EDT)
ceived: by http://www.steelsoldiers.com (Postfix, from userid 500)
id 5EEC7D31B2B; Mon, 26 Mar 2012 12:47:21 -0400 (EDT)
This line states that it was injected into the LOCAL mail spool by the local mail user (UID=500)
On UNIX systems user accounts start at 1000. Anything from 0 (root) to 999 are system accounts.
Received: from [12.222.202.34] (helo=www.steelsoldiers.com)
by box386.bluehost.com with esmtp (Exim 4.76)
(envelope-from <steelsol@www.steelsoldiers.com>)
id 1SCD4s-00063C-Rh
for paulfarber@42gpw.com; Mon, 26 Mar 2012 10:47:30 -0600
This is what my mail server saw. This is called the 'envelope' and is recorded by the mail servers when they connect.
The IP address is correct for steelsoldiers.com, as is the HELO command from the server connection.
Here is what my mail server says then you connect to it and issue the HELO command:
yeager@laptop:~$ telnet http://www.42gpw.com 25
Trying 69.89.31.186...
Connected to http://www.42gpw.com.
Escape character is '^]'.
220-box386.bluehost.com ESMTP Exim 4.76 #1 Mon, 26 Mar 2012 11:24:45 -0600
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo
250-box386.bluehost.com Hello [75.97.34.231]
Note the last line in bold. It records the IP address and host name (via reverse DNS lookup)
My guess is that they pissed off someone... most likely with the new political posts rule.
Personally the people that run that board are tools. They don't follow their own rules and unless you are one of the 'chosen few' you have to tip toe around correcting them. Most of the people who post are nice enough, but the mods are asshats.
Received: from [12.222.202.34] (helo=www.steelsoldiers.com)
by box386.bluehost.com with esmtp (Exim 4.76)
(envelope-from <steelsol@www.steelsoldiers.com>)
id 1SCD4s-00063C-Rh
for paulfarber@42gpw.com; Mon, 26 Mar 2012 10:47:30 -0600
Received: by http://www.steelsoldiers.com (Postfix, from userid 500)
id 5EEC7D31B2B; Mon, 26 Mar 2012 12:47:21 -0400 (EDT)
ceived: by http://www.steelsoldiers.com (Postfix, from userid 500)
id 5EEC7D31B2B; Mon, 26 Mar 2012 12:47:21 -0400 (EDT)
This line states that it was injected into the LOCAL mail spool by the local mail user (UID=500)
On UNIX systems user accounts start at 1000. Anything from 0 (root) to 999 are system accounts.
Received: from [12.222.202.34] (helo=www.steelsoldiers.com)
by box386.bluehost.com with esmtp (Exim 4.76)
(envelope-from <steelsol@www.steelsoldiers.com>)
id 1SCD4s-00063C-Rh
for paulfarber@42gpw.com; Mon, 26 Mar 2012 10:47:30 -0600
This is what my mail server saw. This is called the 'envelope' and is recorded by the mail servers when they connect.
The IP address is correct for steelsoldiers.com, as is the HELO command from the server connection.
Here is what my mail server says then you connect to it and issue the HELO command:
yeager@laptop:~$ telnet http://www.42gpw.com 25
Trying 69.89.31.186...
Connected to http://www.42gpw.com.
Escape character is '^]'.
220-box386.bluehost.com ESMTP Exim 4.76 #1 Mon, 26 Mar 2012 11:24:45 -0600
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo
250-box386.bluehost.com Hello [75.97.34.231]
Note the last line in bold. It records the IP address and host name (via reverse DNS lookup)
My guess is that they pissed off someone... most likely with the new political posts rule.
Personally the people that run that board are tools. They don't follow their own rules and unless you are one of the 'chosen few' you have to tip toe around correcting them. Most of the people who post are nice enough, but the mods are asshats.
I got a Mountain Cur and a ~~pitbull~~ big loveable cuddle puppy
RIP Kimber 5/26/2022
RIP Yeager 1/3/2019
RIP TJ 3/25/2014
RIP Sugar Bear 8/29/2014
RIP Shilo 4/10/2015
RIP Yuki 2/19/2017
RIP Kimber 5/26/2022
RIP Yeager 1/3/2019
RIP TJ 3/25/2014
RIP Sugar Bear 8/29/2014
RIP Shilo 4/10/2015
RIP Yuki 2/19/2017
-
pfarber - Motor Sergeant
- Posts: 2839
- Joined: Wed Oct 10, 2007 2:45 am
- Location: The Internet
Re: Steelsoldiers.com HACKED!!!
by deadline » Mon Mar 26, 2012 4:30 pm
Seems that the site is blaming 'anonymous' for the hack.
I seems that they used a vbulletin exploit or perhaps an SQL attack.
I wonder if its just a random script attack that worked, or if they pissed off someone.
I seems that they used a vbulletin exploit or perhaps an SQL attack.
I wonder if its just a random script attack that worked, or if they pissed off someone.
- deadline
- Site Admin
- Posts: 52
- Joined: Wed Oct 10, 2007 1:16 am
Re: Steelsoldiers.com HACKED!!!
by pfarber » Tue Mar 27, 2012 12:12 am
Funs over.. site is back up.
Most c-panel run sites do a daily backup so putting things back in should not have taken all day... but unless you do it for a living I bet most people don't have a clue where to start.
If they didn't do a full restore.. gotta wonder what kind of backdoors are still there.
Of course a SMART hacker would have broken in, let it sit for a week to make sure the weekly backup contained the exploited code (so when they 'figgered it out' and did a restore, they are restoring the original hack!) hahahahahahaha
And I repeat: IT WASN'T ME. I'm way to lazy to start a revolution... and unless it started with the GM Archives I still wouldn't be interested.
But I still maintain that SS is run by tools.
Most c-panel run sites do a daily backup so putting things back in should not have taken all day... but unless you do it for a living I bet most people don't have a clue where to start.
If they didn't do a full restore.. gotta wonder what kind of backdoors are still there.
Of course a SMART hacker would have broken in, let it sit for a week to make sure the weekly backup contained the exploited code (so when they 'figgered it out' and did a restore, they are restoring the original hack!) hahahahahahaha
And I repeat: IT WASN'T ME. I'm way to lazy to start a revolution... and unless it started with the GM Archives I still wouldn't be interested.
But I still maintain that SS is run by tools.
I got a Mountain Cur and a ~~pitbull~~ big loveable cuddle puppy
RIP Kimber 5/26/2022
RIP Yeager 1/3/2019
RIP TJ 3/25/2014
RIP Sugar Bear 8/29/2014
RIP Shilo 4/10/2015
RIP Yuki 2/19/2017
RIP Kimber 5/26/2022
RIP Yeager 1/3/2019
RIP TJ 3/25/2014
RIP Sugar Bear 8/29/2014
RIP Shilo 4/10/2015
RIP Yuki 2/19/2017
-
pfarber - Motor Sergeant
- Posts: 2839
- Joined: Wed Oct 10, 2007 2:45 am
- Location: The Internet
4 posts
• Page 1 of 1